Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

bungoume
August 05, 2017
Technology
28
10k

 OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

osqueryの紹介
https://builderscon.io/tokyo/2017/session/ce1bf3ee-33bd-4899-897d-ba3c4364c1c5

bungoume

August 05, 2017
Tweet

More Decks by bungoume

See All by bungoume
日経電子版でのDjango活用事例紹介 / djangocongressjp2022-nikkei
bungoume
4
1.5k
CircleCIの活用事例とCI高速化/circleci-community-meetup3-speedup
bungoume
3
1.2k
Password Hashing djangocongress 20180519
bungoume
5
3.2k
日経電子版のアプリ開発を 支えるログ活用術/nikkei-log-201609
bungoume
1
1k
Kibanaで秒間1万件のアクセスを可視化した話/nikkei-kibana-loganalyst2015
bungoume
20
16k
uwsgi-docker-pycon2015
bungoume
11
55k
Ansibleを結構使ってみた/ansible-nikkei-2015
bungoume
32
14k
Dynamic Inventoryと参照変数
bungoume
2
4.4k

Other Decks in Technology

See All in Technology
ML PM, DS PMってどんな仕事をしているの?
line_developers
PRO
1
240
IoT から見る AWS re:invent 2022 ― AWSのIoTの歴史を添えて/Point of view the AWS re:invent 2022 with IoT - with a history of IoT in AWS
ma2shita
0
270
組織に対してSREを適用するとどうなるか
kuniim
7
2.8k
Oracle Transaction Manager for Microservices Free 22.3 製品概要
oracle4engineer
PRO
5
110
Stripe / Okta Customer Identity Cloud(旧Auth0) の採用に至った理由 〜モリサワの SaaS 戦略〜
tomuro
0
130
MarvelClient Upgrade 64bit クライアントへの自動アップグレード設定
mitsuru_katoh
0
160
UEでPLATEAU触ってみた
41h0_shiho
0
120
データベースの発表には RDBMS 以外もありますよ
maroon1st
0
240
ユーザーテストガイドライン VERSION 2.0
kouzoukaikaku
0
1.4k
AWS re:Invent 2022で発表された新機能を試してみた ~Cloud OperationとSecurity~ / New Cloud Operation and Security Features Announced at AWS reInvent 2022
yuj1osm
1
210
インフラ技術基礎勉強会 開催概要
toru_kubota
0
170
DNS権威サーバのクラウドサービス向けに行われた攻撃および対策 / DNS Pseudo-Random Subdomain Attack and mitigations
kazeburo
5
1.3k

Featured

See All Featured
Practical Orchestrator
shlominoach
178
8.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
2
400
The Web Native Designer (August 2011)
paulrobertlloyd
76
2.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
13
1.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Pencils Down: Stop Designing & Start Developing
hursman
114
10k
Fireside Chat
paigeccino
16
1.8k
For a Future-Friendly Web
brad_frost
166
7.8k
BBQ
matthewcrist
75
8.1k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
175
9.1k

Transcript

  1. 1 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  2. 2 ࣗݾ঺հ ക࡚ɹ༟ར (Yuri Umezaki) DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ Python, Elasticsearch, Docker

  3. 3 Ξϯέʔτ ɾ։ൃऀ ɾӡ༻ɺΠϯϑϥ؅ཧऀ ɾηΩϡϦςΟΤϯδχΞ ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

  4. 4 ηΩϡϦςΟڴҖ վ͟Μɾ৘ใྲྀग़ ϥϯαϜ΢ΣΞ etc… ɾ಺෦ෆਖ਼ ɹ(ૢ࡞ϛε) ϑΝΠΞ΢Υʔϧ IDS/IPS/WAF αʔό(ػີσʔλ)

    ੬ ऑ ੑ ͳͲ ɾ֎෦߈ܸ ڴҖ͸֎෦ͱ಺෦ ྆ํʹજΉ

  5. ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ 5 ηΩϡϦςΟରࡦͷ෼ྨ ɾ༧๷ɿΞΫηε੍ޚͳͲ ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥ ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢ Ұൠʹ4ͭʹ෼ྨ ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

  6. 6 ৵ೖ΁ͷؾ͖ͮํ ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘ ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮ ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ← ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋ * FireEye

    M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html

  7. 7 ֎෦߈ܸͷݕग़ ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़ ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌ ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍ αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

  8. 8 ಺෦ෆਖ਼ͷݕग़ ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔ ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά) γεςϜ؅ཧऀͷೝূϩά͕ॏཁ ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

  9. 9 ૢ࡞ϩάͲ͏औΔʁ ɾbash history ɾscriptίϚϯυ ɾpsacct ɾaudit ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏ Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ ؂ࠪϩάͱͯ͠ྑͦ͞͏

  10. 10 audit log # systemctl start auditd # auditctl -a

    always,exit -F arch=b64 -S execve ls ͚ͩͰෳ਺ߦϩά͕ग़Δ ύʔε͠ʹ͍͘… /var/log/audit/audit.log

  11. 11 audit logΛ׆༻͍ͨ͠ ɾgo-audit Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ ɾElastic Beats Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ!

    ɾosquery ↑ࠓճ͸͜Ε ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏

  12. 12 osquery Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ osqueryi ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ osqueryd ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ ஫:

    OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ

  13. 13 osquery 2017/8/3 ݱࡏ githubͷstar͸9501 Linux Security Tools (Top 100)

    *ͷ10൪໨ʹ঺հ * https://linuxsecurity.expert/security-tools/top-100/

  14. 14 Linux Security Tools (Top 100) * https://linuxsecurity.expert/security-tools/top-100/

  15. 15 ࿅श: macͰosquery $ brew install osquery

  16. 16 ࿅श: macͰosquery chrome֦ுͳͲ·Ͱ෼͔Δ

  17. 17 LinuxͰosqueryd vim /etc/osquery/osquery.conf osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ service osqueryd restart

  18. 18 osquerydͷϩά /var/log/osquery/osqueryd.results.log ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

  19. 19 audit events ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋ vim /etc/osquery/osquery.conf

  20. 20 audit events /etc/osquery/osquery.flags ʹҎԼΛهࡌ socket_eventsΛऔಘ͢Δ৔߹͸ ΋ඞཁ
 ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

  21. 21 process_events ϩά lsͷ࣮ߦϩά

  22. 22 socket_events ϩά

  23. 23 ϑΝΠϧ੔߹ੑ؂ࢹ ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ vim /etc/osquery/osquery.conf

  24. 24 ϑΝΠϧ੔߹ੑ؂ࢹ ϩά AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋ echo “message” >> /etc/test ޙͷϩά

  25. 25 osquery ৭ʑऔΕΔ! ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ
 ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏ υΩϡϝϯτ΋ॆ࣮ ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ εέδϡʔϧ࣮ߦͰ͖Δ ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

  26. 26 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻ https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/ osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌
 લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ ɾσʔλ͕ͳ͍৔߹ - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹

    - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ

  27. 27 osquerydͷ࢓૊Έ(ͬ͘͟Γ) ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ (fileͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

  28. 28 ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ) ɾೝূϩάʢϩάΠϯΠϕϯτʣ ɾૢ࡞ϩά ɾ௨৴ϩά ɾϋʔυ΢ΣΞ઀ଓϩά

  29. 29 ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤) ɾChrome, firefoxͷplugin ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ ɾhomebrew౳ϥΠϒϥϦͷҰཡ ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ HTTP Headers ͱ͍͏

    5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭ http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ http://gfx.hatenablog.com/entry/2017/08/02/131537

  30. 30 Pack osquery_monitoring it_compliance, incident_response osx-attacks, vuln-management osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ hardware-monitoring

  31. 31 osquery.conf ઃఆྫ ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

  32. 32 Logrotate΋๨Εͣʹ ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ /etc/logrotate.d/osqueryd dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

  33. 33 ϩάΛूΊΔ S3

  34. 34 FluentdͰύʔε JSONͳͷͰfluentdͰͷύʔε͕؆୯

  35. 35 Elasticsearch΁ϩάอଘ

  36. 36 ϢʔβͷίϚϯυཤྺ

  37. 37 sshdϩάΠϯࢼߦ

  38. 38 ϩάͷ࢖͍ํɺӡ༻ ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ Elastalert΍WatcherΛར༻ͯ͠ ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

  39. 39 νϟοτπʔϧʹ௨஌ ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔
 ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

  40. 40 ஫ҙ఺ͳͲ ɾosqueryͷ։ൃ͸׆ൃ ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ) ɾϝϞϦ͸100MB΄Ͳফඅ ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?) ɾosqueryd͸εέδϡʔϧํࣜ ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍ ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

  41. 41 OSSͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  42. 42 OSS osqueryͰ࢝ΊΔ ηΩϡϦςΟϩάऩू ക࡚ ༟ར builderscon tokyo 2017

  43. 43 ·ͱΊ ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠ ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏ ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

  44. 44 osquery͸ۜͷ஄ؙͰ͸ͳ͍ ૊Έ߹Θͤͯར༻͠·͠ΐ͏ osqueryೖΕͯOKͰ͸ͳ͘

  45. 45 osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏